Ghost In The Browser - Broad-Scale Espionage With Bitsquatting
Presentation from Kapersky SAS 2019 on an unfortunate side effect to achieving HTTPS everywhere and learn what can be done to mitigate the risk.
Presentation by Oscar Salazar and Rob Ragan at Kaspersky SAS 2019
Bitflips happen more than you know, especially on mobile devices and especially on cheap phones with memory that has higher FIT rates (Failures-In-Time). In the past, encryption in-transit (TLS/SSL) would have protected you against the most dangerous opportunistic attackers because it was cost prohibitive. Today however, certificates are free. Free for you and threat actors, thanks to Let’s Encrypt and major cloud providers.
While free certificate authorities are a net positive for internet security, we already know attackers are leveraging the HTTPS lock for subverting security awareness training and more successful phishing. What about corporate espionage? That’s precisely what we investigated in this presentation.
- How to steal passwords
- How to steal DOM and session tokens
- How to capture screenshots of what victims are seeing while browsing the web
- How to persist in their cache and spy on their browsing activities
- What are the most popularly requested domains by machines (phones, laptops, servers, CI/CD, etc)
- Who has registered bit squats on these domains and has listening ports on HTTP/HTTPS/SMTP?
- What are the actively listening domains and what can they do with these bit squats?
- How are we going to monitor these bit squats for abuse?